Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Many Infections At Once!! (Trojans)


  • This topic is locked This topic is locked
20 replies to this topic

#1 C. Jackson

C. Jackson

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 31 August 2009 - 12:34 PM

I imported a trojan(s) on the heels of a frostwire download, which AVG caught, "healed" and moved to the vault. immediately, computer froze and upon restart displayed a black screen with no explorer booted. Only thing on the screen was a documents window. Upon opening task manager, was able to start a task explorer.exe. Computer operates "okay", but browsing speed is diminished from infection, and any/all atempts at cleaning the system are blocked with a window containing verbage that "the application is not a valid win32". I run Vista Home Basic SP1 on an OEM propriety platform (Toshiba Satellite Laptop), which when purchased 3 months ago from Best Buy was optimized by in house Geek Squad. My firewall is currently on, however the Vista security center is not controlable, i.e. cannot turn on or off anything. AVG will not initialize, nor will any malware, or adware software alike. The AVG vault contains the following information as to it's activity regarding the infection. It is as follows:

"C:\qtowjid.exe";"Trojan horse SpamBot.W";"Moved to Virus Vault"
"C:\rrena.exe";"Trojan horse SHeur2.AYCY";"Moved to Virus Vault"
"C:\Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B31SGACJ\20090717013501[1].exe";"Trojan horse Dropper.Generic.AVIA";"Moved to Virus Vault"
"C:\Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ICE3AC0C\fvoogxxl[1].txt";"Trojan horse SpamBot.W";"Moved to Virus Vault"
"C:\Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ICE3AC0C\unkbo[1].htm";"Trojan horse SHeur2.AYCY";"Moved to Virus Vault"
"C:\Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q203X0GX\rkxynxyppq[1].htm";"Trojan horse Small.AU";"Moved to Virus Vault"
"C:\Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RXMDN5XB\fvoogxxl[1].txt";"Trojan horse SpamBot.W";"Moved to Virus Vault"
"C:\Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RXMDN5XB\unkbo[1].htm";"Trojan horse SHeur2.AYCY";"Moved to Virus Vault"
"C:\Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\V6YUPF7S\20090814091151[1].exe";"Trojan horse Generic14.YPG";"Moved to Virus Vault"
"C:\Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\V6YUPF7S\20090817043906[1].exe";"Virus identified Packed.Noper";"Moved to Virus Vault"

Though these have been supposedly moved to the vault, the infection is obvious. According to your guide I attempted the dds.scr which was not allowed with the "not valid win32 application" window displayed.

I was able to acquire the ark.txt file requested, and as follows. I appreciate any and all help with this matter, and frostwire or any other P2P software no longer lives in this machine!!



ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/31 12:17
Program Version: Version 1.3.5.0
Windows Version: Windows Vista SP1
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\Windows\System32\Drivers\dump_iaStor.sys
Address: 0x8790C000 Size: 843776 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0xAA1EB000 Size: 49152 File Visible: No Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\Windows\win32k.sys:1
Address: 0x8C7D6000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\Windows\win32k.sys:2
Address: 0x8C7DB000 Size: 61440 File Visible: No Signed: -
Status: -

Processes
-------------------
Path: System
PID: 4 Status: Locked to the Windows API!

Path: C:\Windows\System32\audiodg.exe
PID: 1464 Status: Locked to the Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: UACirebtypcae.dll]
Process: svchost.exe (PID: 888) Address: 0x01400000 Size: 65536

Object: Hidden Module [Name: kbiwkmfxtrubon.dll]
Process: svchost.exe (PID: 888) Address: 0x10000000 Size: 53248

Object: Hidden Module [Name: kbiwkmmtrxeqoa.dll]
Process: explorer.exe (PID: 3840) Address: 0x002d0000 Size: 32768

Object: Hidden Module [Name: kbiwkmmtrxeqoa.dll]
Process: firefox.exe (PID: 5476) Address: 0x00320000 Size: 32768

Hidden Services
-------------------
Service Name: kbiwkmhgsbcdmo
Image Path: C:\Windows\system32\drivers\kbiwkmlkbvcduu.sys

Service Name: UACd.sys
Image Path: C:\Windows\system32\drivers\UACiecqicxlxv.sys

==EOF==

Edited by C. Jackson, 31 August 2009 - 12:36 PM.


BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:47 PM

Posted 03 September 2009 - 09:01 PM

Hello C. Jackson,

You have a nasty rootkit on this computer. :(

Step 1

Download and run Win32kDiag:Step 2

Download and run a batch file (peek.bat):
  • Download peek.bat from the download link below and save it to your Desktop.
  • Double-click peek.bat to run it.A black Command Prompt window will appear shortly: the program is running.
  • Once it is finished, copy and paste the entire contents of the Log.txt file it creates as a reply to this post.
Please post back with:
  • Win32kDiag.txt
  • Content of the log.txt

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 C. Jackson

C. Jackson
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 05 September 2009 - 09:14 AM

Thank You so much for the help!! I downloaded the files and executed them; however, upon running the peek.bat a window appeared stating that the program was not a valid win32 application. Here are the results of the other scan:


Log file is located at: C:\Users\User\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...



Found mount point : C:\Windows\AppPatch\Custom\Custom

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2EBD.tmp\ZAP2EBD.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3840.tmp\ZAP3840.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9AF7.tmp\ZAP9AF7.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9B0.tmp\ZAP9B0.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA5B0.tmp\ZAPA5B0.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB0D7.tmp\ZAPB0D7.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Driver Cache\Driver Cache

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Globalization\Globalization

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Help\Corporate\Corporate

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Help\OEM\OEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109510090400000000000F01FEC\12.0.6425\12.0.6425

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.6425\12.0.6425

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109A10090400000000000F01FEC\12.0.6425\12.0.6425

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\7A6460EF0D914B142ABBC2536D4472D0\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\LiveKernelReports\LiveKernelReports

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Microsoft.NET\authman\authman

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ModemLogs\ModemLogs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\nap\configuration\configuration

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Options\CABS\CABS

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Options\Install\Install

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Panther\setup.exe\setup.exe

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\PLA\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\RegisteredPackages\{3695EB93-6443-448D-8E2E-1F6F4FC79BC1}\{3695EB93-6443-448D-8E2E-1F6F4FC79BC1}

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\RegisteredPackages\{89FDAB62-6F46-4C7E-A559-E00B9A0BACB6}\{89FDAB62-6F46-4C7E-A559-E00B9A0BACB6}

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SchCache\SchCache

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\security\templates\templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\Tfs_DAV

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\Description Documents\Description Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Documents\Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Links\Links

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Music\Music

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Videos\Videos

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\SCPD\SCPD

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Documents\Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Links\Links

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Music\Music

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Videos\Videos

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6000.16866_none_7fe0c12063c7ff25\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6000.16866_none_7fe0c12063c7ff25: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6000.21062_none_806634e57ce96cd5\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6000.21062_none_806634e57ce96cd5: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6001.18267_none_81c8001060eda96d\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6001.18267_none_81c8001060eda96d: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6001.22444_none_82643dbb79fdc277\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6001.22444_none_82643dbb79fdc277: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6002.18046_none_83c3136c5e04aa7f\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6002.18046_none_83c3136c5e04aa7f: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6002.22147_none_844db081772163a0\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6002.22147_none_844db081772163a0: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6000.16866_none_4755e279c14fc1a0\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6000.16866_none_4755e279c14fc1a0: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6000.21062_none_47db563eda712f50\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6000.21062_none_47db563eda712f50: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6001.18267_none_493d2169be756be8\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6001.18267_none_493d2169be756be8: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6001.22444_none_49d95f14d78584f2\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6001.22444_none_49d95f14d78584f2: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6002.18046_none_4b3834c5bb8c6cfa\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6002.18046_none_4b3834c5bb8c6cfa: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6002.22147_none_4bc2d1dad4a9261b\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6002.22147_none_4bc2d1dad4a9261b: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6000.16866_none_0a011f83f55114da\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6000.16866_none_0a011f83f55114da: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6000.21062_none_0a8693490e72828a\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6000.21062_none_0a8693490e72828a: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6001.18267_none_0be85e73f276bf22\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6001.18267_none_0be85e73f276bf22: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6001.22444_none_0c849c1f0b86d82c\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6001.22444_none_0c849c1f0b86d82c: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6002.18046_none_0de371cfef8dc034\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6002.18046_none_0de371cfef8dc034: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6002.22147_none_0e6e0ee508aa7955\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6002.22147_none_0e6e0ee508aa7955: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6000.16866_none_0a021fcdf5502e31\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6000.16866_none_0a021fcdf5502e31: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6000.21062_none_0a8793930e719be1\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6000.21062_none_0a8793930e719be1: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6001.18267_none_0be95ebdf275d879\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6001.18267_none_0be95ebdf275d879: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6001.22444_none_0c859c690b85f183\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6001.22444_none_0c859c690b85f183: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6002.18046_none_0de47219ef8cd98b\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6002.18046_none_0de47219ef8cd98b: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6002.22147_none_0e6f0f2f08a992ac\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6002.22147_none_0e6f0f2f08a992ac: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6000.16866_none_0a032017f54f4788\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6000.16866_none_0a032017f54f4788: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6000.21062_none_0a8893dd0e70b538\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6000.21062_none_0a8893dd0e70b538: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6001.18267_none_0bea5f07f274f1d0\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6001.18267_none_0bea5f07f274f1d0: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6001.22444_none_0c869cb30b850ada\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6001.22444_none_0c869cb30b850ada: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6002.18046_none_0de57263ef8bf2e2\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6002.18046_none_0de57263ef8bf2e2: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6002.22147_none_0e700f7908a8ac03\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6002.22147_none_0e700f7908a8ac03: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6000.16866_none_0a042061f54e60df\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6000.16866_none_0a042061f54e60df: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6000.21062_none_0a8994270e6fce8f\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6000.21062_none_0a8994270e6fce8f: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6001.18267_none_0beb5f51f2740b27\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6001.18267_none_0beb5f51f2740b27: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6001.22444_none_0c879cfd0b842431\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6001.22444_none_0c879cfd0b842431: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6002.18046_none_0de672adef8b0c39\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6002.18046_none_0de672adef8b0c39: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6002.22147_none_0e710fc308a7c55a\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6002.22147_none_0e710fc308a7c55a: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6000.16866_none_0a0520abf54d7a36\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6000.16866_none_0a0520abf54d7a36: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6000.21062_none_0a8a94710e6ee7e6\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6000.21062_none_0a8a94710e6ee7e6: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6001.18267_none_0bec5f9bf273247e\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6001.18267_none_0bec5f9bf273247e: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6001.22444_none_0c889d470b833d88\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6001.22444_none_0c889d470b833d88: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6002.18046_none_0de772f7ef8a2590\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6002.18046_none_0de772f7ef8a2590: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6002.22147_none_0e72100d08a6deb1\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6002.22147_none_0e72100d08a6deb1: 3
Found mount point : C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6000.16866_none_3fdf3668c441aa88\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6000.16866_none_3fdf3668c441aa88

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6000.21062_none_4064aa2ddd631838\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6000.21062_none_4064aa2ddd631838

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6001.18267_none_41c67558c16754d0\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6001.18267_none_41c67558c16754d0

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6001.22444_none_4262b303da776dda\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6001.22444_none_4262b303da776dda

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6002.18046_none_43c188b4be7e55e2\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6002.18046_none_43c188b4be7e55e2

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6002.22147_none_444c25c9d79b0f03\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6002.22147_none_444c25c9d79b0f03

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\f9870fa09c866a37752cd50336c30a22\x86_microsoft-windows-ie-iecompat_31bf3856ad364e35_8.0.6001.18819_none_83d6ded046b75eaf\x86_microsoft-windows-ie-iecompat_31bf3856ad364e35_8.0.6001.18819_none_83d6ded046b75eaf

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\f9870fa09c866a37752cd50336c30a22\x86_microsoft-windows-ie-iecompat_31bf3856ad364e35_8.0.6001.22909_none_846b4b875fcce288\x86_microsoft-windows-ie-iecompat_31bf3856ad364e35_8.0.6001.22909_none_846b4b875fcce288

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\PostRebootEventCache\PostRebootEventCache

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\0409\0409

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\Branding\en-US\en-US

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\catroot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\com\dmp\dmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\Journal\Journal

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\AVGTOOLBAR\AVGTOOLBAR

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\DriverStore\FileRepository\hpoprn08.inf_2c0db9e0\chs\drivers\com_lang\com_lang

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\DriverStore\FileRepository\hpoprn08.inf_2c0db9e0\cht\drivers\com_lang\com_lang

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\DriverStore\FileRepository\hpoprn08.inf_2c0db9e0\csy\drivers\com_lang\com_lang

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\DriverStore\FileRepository\hpoprn08.inf_2c0db9e0\dan\drivers\com_lang\com_lang

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\DriverStore\FileRepository\hpoprn08.inf_2c0db9e0\deu\drivers\com_lang\com_lang

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\DriverStore\FileRepository\hpoprn08.inf_2c0db9e0\esm\drivers\com_lang\com_lang

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\DriverStore\FileRepository\hpoprn08.inf_2c0db9e0\fin\drivers\com_lang\com_lang

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\DriverStore\FileRepository\hpoprn08.inf_2c0db9e0\fra\drivers\com_lang\com_lang

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\DriverStore\FileRepository\hpoprn08.inf_2c0db9e0\grk\drivers\com_lang\com_lang

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\DriverStore\FileRepository\hpoprn08.inf_2c0db9e0\hun\drivers\com_lang\com_lang

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\DriverStore\FileRepository\hpoprn08.inf_2c0db9e0\ita\drivers\com_lang\com_lang

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\DriverStore\FileRepository\hpoprn08.inf_2c0db9e0\jpn\drivers\com_lang\com_lang

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\DriverStore\FileRepository\hpoprn08.inf_2c0db9e0\kor\drivers\com_lang\com_lang

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\DriverStore\FileRepository\hpoprn08.inf_2c0db9e0\nld\drivers\com_lang\com_lang

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\DriverStore\FileRepository\hpoprn08.inf_2c0db9e0\non\drivers\com_lang\com_lang

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\DriverStore\FileRepository\hpoprn08.inf_2c0db9e0\plk\drivers\com_lang\com_lang

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\DriverStore\FileRepository\hpoprn08.inf_2c0db9e0\ptb\drivers\com_lang\com_lang

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\DriverStore\FileRepository\hpoprn08.inf_2c0db9e0\rus\drivers\com_lang\com_lang

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\DriverStore\FileRepository\hpoprn08.inf_2c0db9e0\svc\drivers\com_lang\com_lang

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\DriverStore\FileRepository\hpoprn08.inf_2c0db9e0\tur\drivers\com_lang\com_lang

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\ENU\ENU

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\GroupPolicy\GroupPolicy

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\GroupPolicyUsers\GroupPolicyUsers

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\inetsrv\inetsrv

Mount point destination : \Device\__max++>\^

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:47 PM

Posted 05 September 2009 - 01:08 PM

Hi C. Jackson,

Not good! The log you posted was truncated so it is no help.
Did you post it all?


Please do the following.

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy and Paste the content of the following codebox into the main textfield under "File":
    :filefind
    scecli.dll 
    netlogon.dll
    cngaudit.dll 
    eventlog.dll
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan.
  • Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
2nd Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task

Edited by SifuMike, 05 September 2009 - 01:09 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 C. Jackson

C. Jackson
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 05 September 2009 - 09:42 PM

More bad news Mike....."not a valid win32 application" window appears on both downloads upon execution!! Now what?

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:47 PM

Posted 06 September 2009 - 12:05 AM

Hi C. Jackson,

What antivirus are you running? And what registry protectors areyou running (like Spybot Teatimer, Windows Defender, Ad-Watch, etc.)


See if this helps:
This utility fixes the exe file associations in the registry automatically.
http://windowsxp.mvps.org/exefile.htm
Let me know if it works.

Edited by SifuMike, 06 September 2009 - 12:14 AM.
typo

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 C. Jackson

C. Jackson
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 06 September 2009 - 10:28 AM

Thank you for the speedy responses.....I'm running AVG Free 8.x, and RegCure by ParetoLogic. Your Reg cleaner, again, wouldn't run....non-valid win32 app...but I ran my RegCure. "fixed" a few errors; however no difference in any of the various downloads' run capabilities. Even after turning off AVG and RegCure and running all of the scanners, they still are disabled. I have turned back on AVG.

Thanks
Chris

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:47 PM

Posted 06 September 2009 - 12:21 PM

Hi Chris,


Your Reg cleaner, again, wouldn't run....non-valid win32 app...but I ran my RegCure.


It is not a reg cleaner, it is a utility fixes the exe file associations in the registry automatically.


BTW, I do not recommend Registry Cleaners (RegCure) because they may damage rather than cleaning/fixing your registry.

You should only use them if you have a basic knowledge about the registry and know if a certain key/value is safe to be removed or not.

Cleaning the registry won't really improve system performance, even though there a lot of orphaned keys.
IMHO, if registry cleaning was required, then Microsoft would have added this option. So you use registry at you own risk. After all, a corrupted registry is a corrupted Windows.


Do yourself a favor and get rid of RegCure.
Registry cleaners can mess up so many things. It happened to me one time so I'm not just saying that.

*****************

We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your AVG Antivirus before running ComboFix, as it will prevent it from running.

To disable AVG antivirus:
Please open the AVG Control Center program -> double-click on the "AVG Resident Shield" component (looks like this: Posted Image) -> deselect the "Turn on AVG Resident Shield" checkmark and save the setting.
When you need to enable the AVG Resident Shield, ( I€™ll let you know when) just open the AVG Control Center program -> double-click on the "AVG Resident Shield" component -> select the "Turn on AVG Resident Shield" checkmark and save the setting.


Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Edited by SifuMike, 06 September 2009 - 12:24 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 C. Jackson

C. Jackson
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 06 September 2009 - 05:14 PM

Good info on RegCure....I will act accordingly and remove it. Now...ComboFix......wouldn't run, either download. Same "NOT VALID WIN32 APP" error. Is it time to throw the machine out the window ?!?!

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:47 PM

Posted 06 September 2009 - 05:30 PM

Hi Chris,


Try renaming ComboFix.exe to another name like fluffybunny.exe
See if it runs.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:47 PM

Posted 06 September 2009 - 06:06 PM

Hi Chris,

If you still cant get ComboFix to run then scan your machine with ESET OnlineScan.
That may remove enough of the malware so that you can run ComboFix.
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 C. Jackson

C. Jackson
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 07 September 2009 - 08:23 AM

Results of ESAT below. I tried running combofix again without success.


C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll Win32/Toolbar.MyWebSearch application cleaned by deleting (after the next restart) - quarantined
C:\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL Win32/Adware.FunWeb application cleaned by deleting - quarantined
C:\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL Win32/Adware.FunWeb application cleaned by deleting - quarantined
C:\Program Files\MyWebSearch\bar\1.bin\F3HKSTUB.DLL Win32/Toolbar.MyWebSearch application cleaned by deleting (after the next restart) - quarantined
C:\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL Win32/Adware.FunWeb application cleaned by deleting (after the next restart) - quarantined
C:\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL Win32/Adware.FunWeb application cleaned by deleting - quarantined
C:\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL Win32/Adware.FunWeb application cleaned by deleting - quarantined
C:\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Program Files\MyWebSearch\bar\1.bin\F3REGHK.DLL Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL Win32/Adware.FunWeb application cleaned by deleting - quarantined
C:\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE Win32/Adware.FunWeb application cleaned by deleting - quarantined
C:\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL Win32/FunWeb application cleaned by deleting - quarantined
C:\Program Files\MyWebSearch\bar\1.bin\M3HIGHIN.EXE Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Program Files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Program Files\MyWebSearch\bar\1.bin\M3MEDINT.EXE Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Program Files\MyWebSearch\bar\1.bin\M3MSG.DLL Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL Win32/Toolbar.MyWebSearch application cleaned by deleting (after the next restart) - quarantined
C:\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Program Files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Program Files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL Win32/Toolbar.MyWebSearch application cleaned by deleting (after the next restart) - quarantined
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL Win32/Toolbar.MyWebSearch application cleaned by deleting (after the next restart) - quarantined
C:\Program Files\MyWebSearch\bar\1.bin\MWSSVC.EXE Win32/Toolbar.MyWebSearch application cleaned by deleting (after the next restart) - quarantined
C:\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Program Files\runit\runit_32.exe Win32/VB.OAI trojan cleaned by deleting - quarantined
C:\Program Files\Windows Police Pro\tmp\dbsinit.exe Win32/Adware.WinAntiVirus application deleted - quarantined
C:\Program Files\Windows Police Pro\tmp\wispex.html Win32/Adware.WinAntiVirus application cleaned by deleting - quarantined
C:\Users\Public\Music\MUSIC\Brad Paisley\Brad Paisley - I wish you'd stay.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined
C:\Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JR2FH7F7\20090815093406[1].exe a variant of Win32/TrojanDropper.Small.NJP trojan cleaned by deleting - quarantined
C:\Users\User\AppData\Local\Temp\bvfymterxm.tmp a variant of Win32/Kryptik.AGO trojan cleaned by deleting - quarantined
C:\Users\User\AppData\Local\Temp\NOD6FCA.tmp Win32/Toolbar.MyWebSearch application cleaned by deleting (after the next restart) - quarantined
C:\Users\User\AppData\Local\Temp\NOD7FAD.tmp Win32/Toolbar.MyWebSearch application cleaned by deleting (after the next restart) - quarantined
C:\Users\User\AppData\Local\Temp\NOD821E.tmp Win32/Adware.FunWeb application cleaned by deleting (after the next restart) - quarantined
C:\Users\User\AppData\Local\Temp\NODACAA.tmp Win32/Toolbar.MyWebSearch application cleaned by deleting (after the next restart) - quarantined
C:\Users\User\AppData\Local\Temp\NODB86E.tmp Win32/Toolbar.MyWebSearch application cleaned by deleting (after the next restart) - quarantined
C:\Users\User\AppData\Local\Temp\NODC22F.tmp Win32/Toolbar.MyWebSearch application cleaned by deleting (after the next restart) - quarantined
C:\Users\User\AppData\Local\Temp\NODC4A0.tmp Win32/Toolbar.MyWebSearch application cleaned by deleting (after the next restart) - quarantined
C:\Users\User\AppData\Local\Temp\UACc708.tmp a variant of Win32/Kryptik.AIE trojan cleaned by deleting - quarantined
C:\Windows\aptt85451.exe Win32/VB.OAI trojan deleted - quarantined
C:\Windows\System32\f3PSSavr.scr Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined

#13 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:47 PM

Posted 07 September 2009 - 10:42 AM

Hi Chris,


ESET removed some the malware, but I am sure there is loads left.
I think the malware is preventing your antivirus for running.

Dont run ComboFix after running scanner, just report back.


Lets run an F-Secure online scan for Viruses, Spyware and RootKits:
Go to http://support.f-secure.com/enu/home/ols.shtml

Notes:
This scan will only work with Internet Explorer
You must have administrator rights to run this scan
This scan can take several hours, so please be patient

Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
Allow the Active X control to be installed on your computer, then click the Accept button
Click Full System Scan and allow the components to download and the scan to complete.
If malware is found, check Submit samples to F-Secure then select Automatic cleaning
When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post


If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan
When the cleaning option is presented, Uncheck Submit samples to F-Secure
Click Automatic cleaning
When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post

Edited by SifuMike, 07 September 2009 - 10:46 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 C. Jackson

C. Jackson
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 07 September 2009 - 01:56 PM

F-Secure hung repeatedly at 58% of the file download. It never even got to the scan. It displayed an error window stating it was unable download all the files necessary for the scan.

#15 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:47 PM

Posted 07 September 2009 - 02:24 PM

Hi Chris,

The site is probably overloaded.
Because of the holiday, We have many people online today and that is slowing the Internet.

Let try another scanner.


Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users